VoIP's Security Vulnerabilities

garzpacho writes "Experts predict that attacks on VoIP systems could be right around the corner, and are calling for preemptive security measures. The BusinessWeek article compares the current state of voice-over-IP to the pre-spam email era and suggests that spammers could be the first to exploit the system. From the article: 'Here's what VoIP security breaches could mean for consumers. For starters, it's a big channel for spammers. Think of the Viagra ads that flood your e-mail inboxes now. They work because the cost of e-mailing thousands of people at once is so low, only 1% to 3% or so need to respond for it to be worth it, Ingevaldson says. Comparable economics apply to VoIP calls, he says. Then there are potential phishing attacks, where fraudsters posing as banks lead consumers to fake sites. Those and other attempts at identity theft could spring up via VoIP accounts too, experts say. Imagine the messages from relatives of deposed Nigerian dictators -- only this time they're on voice mail, too.'"

Re:You can thank stupid people.

[neonprimetime]

To actually fall for that Nigerian one... my God!

Stop stereotyping the Nigerians! We're taking donations to help fight the stereotyping of Nigerians ... please send donations to my paypal account : HelpTheNigerians ... or just send me your paypal id & password and I'll do the transfer for you.

From theoretical to real

[Billosaur]

Of course, there is a difference between potential threats and ones VoIP consumers are actually facing today. So far, much of this is theoretical--much like fears of mass viruses on mobile phones and disastrous phishing attacks over instant-message systems (see BusinessWeek.com, 1/5/06, "IM Security Is One Tough Sell"). VoIP attacks remain rare, although Gartner says Skype has made four big patches to vulnerabilities in the last 18 months.

And while it is all just theoretical, you know someone will eventually get their jollies figuring out how to hack VoIP and create a lane for spammers in the process. Going to VoIP removes a lot of the natural barriers that protect us from telemarketting calls now, and creates new vulnerabilities. There will be a lot more Caller ID spoofing; I can even conceive of someone creating malware that would be planted on your system and track the numbers you frequently call, to build spam call trees and more importantly to get ids and numbers you might trust so you would actually answer the calls. The possibilities are staggering.

I must sound like a broken record

[Sloppy]

Yet Again, I say: use public key crypto and a web-of-trust to authenticate that a call is from somebody who has a reputation to lose.

Nothing to lose? Then the call is lowest priority, probably the bit bucket unless you're expecting an unverified call, or you're just bored and feel like risking a talk with a telemarketer.

(Sorry, it's not my fault that so many current topics are related to problems that PK happens to solve. Really, I do know that there is more to life than spreading-the-gospel-of-openpgp.)

Re:You can thank stupid people.

[kefoo]

Never underestimate the power of money to overrule common sense. I saw it every day when I worked as a software engineer.

Not really

[Geoffreyerffoeg]

VoIP is more like the pre-spam IM era than the pre-spam e-mail era. And guess what. We're past the pre-spam IM era and it isn't even close to a problem. I get a spam IM about once every few months, if not rarer, and all it contains is an obfuscated link to some camgirl website or something (I haven't clicked, I'm just guessing).

VoIP, like IM, is a medium that does not lend itself to spam. What can they do, hire telemarketers? You can't very well robot a voice system. And because each system, like IM, is closed within a company, unless that company itself is spamming, they will quickly close down the accounts of anyone who spams because it's easy for them to track.

Reliability is lower too

[cecom]

All high-speed Internet providers that I have ever had (Comcast, Yahoo/SBC/AT&T) suffer outages periodically - say, about once every two months for several hours on the average, and this is only the outages that I know about, since I don't use my home computer all the time. Happens at work too - at one time our business DSL was out for two days (thank you "new" AT&T). The electrical power has also been out several times. At the same time I don't remember a single problem with my land line. Note that I live in the San Francisco Bay Area, so this is a relatively high-tech place.

You end up depending on both consumer-grade Internet service and electrical power, neither of which is completely reliable. Which is probably OK, esp if you have your cell phone, so I am not advocating against Vonage.

However it strikes me that people generally do not realize that the Internet connection (as the Internet itself) is not completely reliable. At a trade show a sales person was trying to convince of the benefits of their credit card authorization software, which resides on their own server and is accessible as a web service. The idea is that the consumer pays for a service (e.g. in a hair salon) in advance and then gets to use it for a period of time. Not bad stuff, actually, but that is beside the point. When I told her that I am worried about reliability in case the internet connection is down and the customer will not be able to be authorized for the service they already paid for, she looked at me silly and said: "Ihe Interned connection down ? Does that ever happen?" Duh! It happens!

Re:You can thank stupid people.

[arminw]

......Within one week of activating a new POTS phone line, I started receiving about three or four calls per night. It got the point where I stopped answering my home phone unless I was expecting a call. I disconnected my answering machine .....

Caller ID in combination with an old Mac Classic used as an answering machine has solved our unwanted phone call problems almost perfectly.

The Mac allows the audible, live monitoring of the first 10 seconds of any message coming in within which time we can decide to answer the phone or not. Any number we don't know or not listed is not answered live by us at all unless the caller leaves a message, which is also not answered unless we want to. A large display caller ID shows who is calling. The Mac answers all calls we don't recognize. We have not talked to a single phone solicitor in several years. Something like this should work even better for VOIP, since the computer can contain a list of callers the recipient is willing to talk to. The other calls go into the junk call bin, just as the spam junk e-mail does. The only calls that get answered live are the wanted ones. The do not call list is worthless anyway, but just as the spammers use technology, so, technology can also work against them. Fight fire with fire.

Voice spam is impractical

[Norbert_05]

The way SIP works makes voice spam impractical. Basically, a call is set up in two steps. 1) The calling party sends an INVITE message to your provider's PBX / main server / whatever. This would be vonage, or whoever your VOIP provider is. This 'call' connects, and an audio path is established between your provider and the calling party. From the caller's perspective, he has a live, answered, call at this point. 2) your provider sends an INVITE message to your phone. This establishes an audio path from your phone to the carrier. At this stage, the carrier either connects the two audio streams internally, or can use another pair of INVITE messages to direct the audio streams of the two phones to each other. There's no way for the calling party to identify when that second audio stream has been established; from their perspective, the call exists as soon as the provider accepts the initial INVITE message. Obviously, you could start playing audio at that stage, but there's no guarentee someone's actually on the other end of the line. If you're doing a recorded audio play, you're faced with either loosing part of the message, or playing dead air for a while. The only way around this is to dial the direct SIP extension of the customer's phone, but you need know their userext (which is different than their actual phone number) and the IP address of the user's phone, which is highly unlikely since the end user doesn't even have those bits of information (usually) Furthermore, filtering is easy. An INVITE message has to specify a valid IP for the audio stream to be set up. It's trivial to simply block INVITE's from certain IP's in software, if your carrier / phone supports that. Spoofing an IP at this stage is impossible, since that would just prevent the RTP stream from working, and it also makes it easy to figure out who's actually calling you, since you have the IP of the server the audio is coming from. (assuming your provider did the reinvite bit, which virtually all SIP implementations do) That's totally ignoring the much higher bandwidth requirements of transmitting that many audio streams and associated problems with that.

Re:You can thank stupid people.

[Stellian]

VoIP phone spamming won't be any different than current telemarketing.

Wrong !
That's just like saying email spam won't be any different than junk mail.
VoIP spam is a nightmare in the making. A normal telemarketer needs to pay to have access to the phone network, and needs to be a business so it could be held accountable for any wrongdoings. It cannot operate from China or the long distance costs would kill it. There is only so much calls you can initiate per second from a normal telco trunk. You also need a human operator for each call, the costs per call tipically do not allow you to waste them with recorded message.
Enter VoIP Telemarketing: anonymous Viagra kings, enjoying the anonymity and low cost of the Internet calls to make billions of robot calls from zombied machines. In my opinion, it's the worst threat facing VoIP today.